SOX Section 404 Compliance: A Public Company Road Map

SOX compliance is time-consuming, costly, and complex. It can place pressures on talent and resources as companies grapple with controls across intricate processes, and many still struggle to attract and retain the SOX expertise required to sustain program integrity.

The Sarbanes-Oxley Act of 2002 (SOX), the foundation of corporate financial accountability in the U.S., was enacted after various scandals exposed deep flaws in governance and internal controls. Designed to restore investor trust, it established strict requirements for financial reporting accuracy, executive accountability, and the effectiveness of internal controls. More than two decades later, SOX remains the benchmark for public company compliance. Its most scrutinized and demanding provision is Section 404.

As companies prepare for the rigor of public reporting, effectively navigating Section 404 is critical. It requires organizations to establish and maintain an adequate internal control structure and procedures for financial reporting, generally known as internal control over financial reporting (ICFR). Understanding the distinct requirements of Section 404(a) and Section 404(b) and charting a clear road map toward compliance are essential steps for building investor trust, avoiding regulatory penalties, and sustaining long-term operational integrity.

What are SOX Section 404(a) and Section 404(b)?

SOX Section 404 is divided into two key subsections, each with different compliance requirements and oversight responsibilities.

Section 404(a): Management’s responsibility for ICFR

All publicly traded companies must comply with SOX Section 404(a). It mandates that company management assess the effectiveness of its internal control over financial reporting and disclose the results in their annual Form 10-K filing. This assessment is widely interpreted to be risk based and includes:

• Identifying risks of material misstatement to the company’s financial statements
• Designing controls to mitigate those risks
• Testing the operation of the controls to confirm they are operating as intended
• Documenting and reporting findings to company management and the audit committee

Section 404(b): Independent auditor attestation

Section 404(b) is an extension of Section 404(a), but with a third-party attestation. It requires an independent public accounting firm registered with the Public Company Accounting Oversight Board to audit the effectiveness of ICFR and provide a report in the company’s Form 10-K. This applies only to companies that are accelerated filers or large accelerated filers.

The presence of Section 404(b) requirements significantly increases the complexity and resource intensity of compliance because of the requirement for an independent registered public accounting firm to report on ICFR.

Who must comply and when?

Filer type determines ICFR requirements. Timing of compliance with ICFR depends on a company’s Securities and Exchange Commission (SEC) filer classification, which is largely based on public float (the market value of shares held by public investors) and annual revenues. Following is a helpful breakdown of SEC guidance for accelerated and large accelerated filers, small reporting companies (SRCs), and emerging growth companies.

Source: Crowe analysis of SEC guidance, October 2025

Note: Filer status is reassessed annually at the end of a company’s second fiscal quarter. For instance, a company with a fiscal year (FY) end of Dec. 31 would assess its status based on public float as of June 30.

When does SOX Section 404 compliance begin for newly public companies?

The SEC provides a grace period for newly public companies. Specifically, companies generally have until the second Form 10-K filing after their IPO to become SOX Section 404(a) compliant. For example:

• If an IPO occurs in May 2024 and the FY ends on Dec. 31, the first Form 10-K (for FY 2024) would be due in early 2025 and would not require management’s assessment.
• A second Form 10-K (for FY 2025), filed in early 2026, must be SOX Section 404(a) compliant and might also need to be Section 404(b) compliant, depending on filer status.

This window offers valuable runway to design, test, and refine controls before undergoing full compliance obligations.

SOX readiness road map: A five-phase maturity model

Achieving SOX compliance is not a one-off exercise. It’s a multiphase transformation. Based on implementation frameworks, organizations are advised to follow a phased road map over a period of 12 to 18 months to become compliant with Section 404(b), ideally beginning 18 months in advance of the company’s first FY end date as a public company (for example, for an IPO in May 2024, readiness work should start by mid-2024 to meet FY 2025 compliance in early 2026).

Phase 1: Planning and scoping

Timeline: Month 1 (for example, June 2024)
Objective: Establish program governance, define materiality, and define the scope of ICFR

Key activities:

• Define governance structure; appoint a SOX project leader (often internal audit or controllership) and build a cross-functional team including external specialists
• Calculate materiality
• Map financial reporting processes to financial statement line items and general ledger accounts; identify core business cycles such as revenue, procurement, inventory, financial close, human resources (HR), payroll, treasury, and tax
• Perform scoping analysis by identifying significant accounts and relevant assertions and assessing materiality thresholds and quantitative and qualitative risk factors
• Determine IT systems in scope; catalog enterprise resource planning (ERP) platforms, subledgers, key spreadsheets, and access and change management systems
• Evaluate potential new ERP systems for emerging company needs, such as NetSuite, Workday, or Microsoft Dynamics 365™ platforms, for scalability, SOX readiness, and built-in control capabilities
• Incorporate systems development life cycle (SDLC) considerations into planning; document change management, access provisioning, testing protocols, and migration controls to confirm ERP implementation aligns with SOX Section 404 expectations
• Define documentation standards; choose a framework, such as, for example, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework of 2013
• Align with external auditors on all scoping, materiality, and documentation standards; establish formal channels for ongoing communication
• Discuss assessments and plans on significant accounts, assertions, and the risk assessment approach with external auditors

Deliverables:

• SOX project charter
• Financial statement scoping and risk assessment
• Responsible, accountable, consulted, and informed matrix for ownership, a responsibility assignment tool that clarifies roles
• Documentation standards manual, a playbook that defines how processes, controls, and testing are documented consistently across the organization and sets templates, detail requirements, and retention standards so evidence is audit-ready, repeatable, and sustainable year after year
• ERP evaluation summary and SDLC control framework outline
• External auditor alignment summary and communication plan

Phase 2: Risk identification and control design

Timeline: Months 2-4 (for example, July-September 2024)
Objective: Identify risks of material misstatement in financial reporting and design internal controls to mitigate those risks

Key activities:

• Process-understanding meetings
  • Engage process owners to understand the process flow of a transaction, identify key risks and controls currently in place
  • Categorize controls as manual, automated, preventive, or detective
  • Identify relevant IT systems, databases, and tools
• Design controls
  • Establish entity-level controls, such as tone at the top, ethics, and governance
  • Design process-level controls for each business cycle to address the identified risks of material misstatement
  • Integrate IT general controls (ITGCs), such as access, change management, and operations
• Draft control documentation
  • Develop control narratives, flowcharts, and control activity descriptions
  • Define precision level of controls
  • Include control owner responsibilities and evidence of performance requirements
• SOD analysis
  • Identify roles, access levels, and conflicting permissions
  • Analyze segregation of duties (SOD) conflicts across key processes
  • Recommend mitigation actions for high-risk conflicts
• SOC report: CUEC mapping
  • Review System and Organization Controls (SOC) reports and extract complementary user entity controls (CUEC)
  • Map CUECs to internal controls
  • Identify and address control coverage gaps

Deliverables:

• Risk and control matrices (RCMs)
• Entity-level control mapping to COSO principles and points of focus
• ITGC control framework
• Flowcharts and narratives for business processes
• Data flow diagram
• System scoping document
• Gap tracker
• SOD assessment report
• CUEC mapping matrix

Completion of phase 2 marks the true starting line of SOX 404 compliance. By month 4, companies might have established scope, governance, and initial control design, which demonstrates that readiness can be achieved faster than many expect and that organizations don’t need years to begin their compliance journey.

Phase 3: Key control implementation and validation

Timeline: Months 5-8 (for example, October 2024-January 2025)
Objective: Assist control owners in the initial operation of controls and proper execution

Key activities:

• Template creation
  • Create templates for control owners to enable consistency and re-performability of controls
• Training
  • Conduct individual and group training to educate control owners on execution of controls
• Identify and address design gaps
  • Resolve unclear steps, weak documentation, or inadequate precision level of control
  • Remediate before operational testing
• Documentation enhancement
  • Update narratives and RCMs as needed
  • Build evidence repository and clarify control owner responsibilities

Deliverables:

• Updated RCMs
• Control design documentation, such as control cover sheets
• ITGC templates for user access reviews and change management
• Updated gap tracker
• Updated process narratives, flowcharts, and data flow diagrams

Phase 4: Operational effectiveness testing

Timeline: Months 9-15 (for example, February-August 2025)
Objective: Evaluate whether controls are operating consistently and effectively over time

Key activities:

• Test plan execution
  • Select samples based on control frequency (for example, 25 samples for daily controls, two to three samples for months and quarters), which can be adjusted based on the status of the company as Section 404(a) versus Section 404(b), private company versus public, level of risk, as well as desire for level of preparation
  • Perform attribute-level testing and review whether controls were performed, documented, reviewed, and approved
• Key report testing
  • Identify and validate key reports that support SOX controls
  • Evaluate report logic, source data, and parameters for completeness and accuracy
  • Perform IT-dependent control testing to confirm the integrity and reliability of report generation processes
  • Review access controls and change management procedures related to the reports
  • Obtain and retain evidence of report validation for audit support
• Control failure identification
  • Track exceptions, such as control not performed, insufficient documentation, or incorrect execution
  • Document root causes and determine whether the deficiencies are significant or material
• Deficiency remediation
  • Retrain control owners where needed
  • Implement compensating controls if possible if deficiencies are discovered too late for retesting
• Coordination with external auditors
  • Discuss testing methodology and evidence with auditor to align to expectations
  • Share control testing results periodically to build trust and reduce year-end surprises; external auditors can begin their review and testing as early as May 2025 in this timeline example

Deliverables:

• Control test plans
• Summary of test results by control
• Control deficiency log with severity assessments
• Remediation and retesting tracker
• Key report inventory with validation evidence and testing outcomes

Phase 5: External audit readiness and sustainment

Timeline: Months 16-18 (for example, September-November 2025)

Note that external auditors will conclude their internal control design and operating effectiveness testing around the filing of the company’s Form 10-K, so the window for their testing might be longer.

Objective: Receive formal feedback from external auditor testing

Key activities:

• Performance of walkthroughs by external auditor
  • Prepare for walkthroughs by external auditor
  • Receive and incorporate feedback from external auditor on the design of internal control
• Rollforward testing
  • Reconfirm that controls are effective in the final quarter of the fiscal year
  • Refresh prior test results when timing exceeds allowable audit windows
• Finalizing deficiency evaluations
  • Summarize findings and remediation plans
  • Communicate with legal and audit committee on required disclosures, if any
• Preparation of management’s SOX Section 404(a) report
  • Draft internal control effectiveness language for Form 10-K filing
  • For Section 404(b) filers, coordinate with external auditors to issue the auditor attestation report
• Transition to sustainment mode
  • Implement ongoing control monitoring
  • Build continual training and awareness programs for control owners
  • Establish a cadence for testing and periodic control refreshes

Deliverables:

• Management’s internal control report (SOX Section 404(a), if applicable)
• External auditor attestation report (SOX Section 404(b), if applicable)
• Final deficiency summary and disclosure recommendations
• SOX sustainment playbook for future years

Best practices for achieving SOX compliance

Achieving and sustaining SOX compliance, especially under Section 404(b), requires proactive planning and disciplined execution. Following are several best practices.

Prioritize early engagement. Start the SOX readiness process early, ideally beginning 18 months in advance of the company’s first FY end date as a public company (for example, if going public in October 2024 with a Dec. 31 year-end, an ideal start date would be July 1, 2024). Doing so can provide flexibility to address issues without deadline pressure. Companies that delay might encounter compressed testing cycles, unremediated gaps, higher risk of severe deficiencies, and strained audit relationships.

Build a cross-functional team. Pull the right people in. SOX is not just a finance project; it touches IT, operations, legal, HR, and compliance. Defining clear roles, responsibilities, and ownership is key.

Invest in tools and automation. Use governance, risk, and compliance platforms to manage documentation, testing, and issue tracking. Automation helps reduce human error and increases testing coverage.

Maintain auditor alignment. Especially under Section 404(b), discuss control documentation, evidence, and test plans to align with auditor expectations and prevent last-minute surprises or audit rework.

Treat compliance as an opportunity. Approach SOX compliance as a chance to optimize internal processes, increase transparency, and build a stronger controls culture rather than viewing it as a burden.

A strategic advantage, not just a checklist

While demanding, ICFR is a critical pillar of financial transparency in public markets. Companies that invest in a thoughtful, phased approach tailored to their filer status and risk profile can better meet regulatory requirements and build investor trust, reduce business risk, and elevate operational maturity.

Whether you’re navigating your first IPO or transitioning from SOX Section 404(a) to Section 404(b) compliance, understanding your obligations and committing to a deliberate road map are key to lasting success.

Microsoft and Dynamics 365 are trademarks of the Microsoft group of companies.